From: "Kerin Millar" <kfm@plushkava.net>
To: netfilter@vger.kernel.org
Subject: Re: How to have a dynamic ingress device(s) list?
Date: Thu, 25 Apr 2024 00:25:31 +0100 [thread overview]
Message-ID: <eb3a3017-e09a-4484-9a48-abf3916e25c9@app.fastmail.com> (raw)
In-Reply-To: <20240424192033.5f05ef18@localhost>
On Wed, 24 Apr 2024, at 8:20 PM, William N. wrote:
> On Wed, 24 Apr 2024 19:49:28 +0100 Kerin Millar wrote:
>
>> Rather, "define nics".
>
> Yes, sorry.
>
>> You mentioned the use of bash, which is capable of serving as a generator.
>
> Thanks, I know. The thing is that nics can be added/removed at any
> point in time, not just at startup, which makes it more complicated.
It does. Given that this cannot yet be addressed by nftables alone, I have an idea.
1) write a tmpfiles.d snippet to ensure the presence of a dedicated FIFO
2) write a script that continually reads lines from said FIFO
3) write a .service unit for the script
4) write a udev rule to assume responsibility for writing to said FIFO
The udev rule would need only to respond to the "add" and "remove" events for ethernet devices. The command/script invoked by said rule would need only to write a newline to the FIFO. The use of a FIFO would obviate the need for the main script to be reentrant by ensuring that events are responded to in a serial fashion. The event loop would be trivial to implement.
# Opens the FIFO in read/write mode to keep it perpetually open.
while read -r; do
# An event arrived. Execute the generator and reload the ruleset.
/path/to/your/include/generator && systemctl restart nftables
done <> /path/to/fifo
Combine all that with a partial nftables.service override to ensure that the generator is also triggered by an ExecStartPre command and it should do the job.
>
>> It does not.
>>
>> # nft 'define nics = { "enp1s0" }; table netdev t { chain c { type filter hook ingress devices = $nics priority -500; }; }'
>
> This gives segfault here.
>
>> Perhaps you need to upgrade nft.
>
> Here:
>
> # nft -V
> nftables v1.0.6 (Lester Gooch #5)
> cli: editline
> json: yes
> minigmp: no
> libxtables: yes
>
> On Debian 12 stable.
Alas, a vendor's notion of what is 'stable' counts for very little in practice; they merely pretend to backport important bug fixes. This is an ongoing issue for nftables, which has many bugs. It is at its best in a rolling distribution or if compiling by oneself.
>
>
>> Can you provide a minimal ruleset that reproduces the segfault?
>
> #!/usr/sbin/nft -f
>
> flush ruleset
>
> define nics = { "eth0" }
> table netdev filter
> delete table netdev filter
>
> table netdev filter {
> chain ingress_internal {
> type filter hook ingress devices = $nics priority -500
> }
> }
I see. That has since been addressed, at least.
--
Kerin Millar
next prev parent reply other threads:[~2024-04-24 23:26 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-24 18:03 How to have a dynamic ingress device(s) list? William N.
2024-04-24 18:49 ` Kerin Millar
2024-04-24 19:20 ` William N.
2024-04-24 23:25 ` Kerin Millar [this message]
2024-04-25 14:12 ` William N.
2024-04-25 14:22 ` Kerin Millar
2024-04-25 15:30 ` William N.
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eb3a3017-e09a-4484-9a48-abf3916e25c9@app.fastmail.com \
--to=kfm@plushkava.net \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).